STE WILLIAMS

It’s now almost three weeks since The Register revealed the chip design flaws that Google later confirmed and the world still awaits certainty about what the mistakes mean and what it will take to fix them.

The short version: on balance, it looks like we took one step forward but last week didn’t offer many useful advances.

In the “plus” column, Microsoft and AMD got their act together to resume the flow of working fixes. Vendors started to offer tools to manage the chore of fixing the twin flaws, VMware’s dashboard kit for its vRealize Operations automation tools. Typing

 $ grep . /sys/devices/system/cpu/vulnerabilities/*

into a Linux terminal window now reveals whether you have a problem to address.

On the downside, Intel faced a rebellion of sorts as major enterprise vendors like red Hat, Lenovo, VMware and many others told their users to ignore Chipzilla’s first batch of microcode updates because they made servers reboot a lot. Intel first said only Broadwell and Haswell CPUs had the problem, but later said its more recent Ivy Bridge, Sandy Bridge, Skylake and Kaby Lake architectures are all misbehaving after patching. The company also revealed that data centre workloads will be slower after it’s done patching.

That’s bad news for all sorts of reasons, not least that some users rushing to cope with the twin menaces may have overlooked that appliances sold as “it just does the job, don’t worry about the innards” often have Intel Inside. Hence analyst firm Gartner’s advice to remember that devices like application delivery controllers or WAN optimisation boxen pack x86s, need a fix and won’t optimise things quite as optimally from now on. Which means talking to telcos and all sorts of other fun. News that software-defined storage powered by ZFS or Microsoft may slow down can’t have put smiles on too many faces either.

Also unwelcome was news that Spectre impacts Oracle’s SPARC platform, with patches due some time in February. Nor are the hordes of smaller ARM licensees making much noise.

Now Meltdown patches are making industrial control systems lurch

READ MORE

News that the sky’s not fallen in on public clouds won a better reception. Indeed, there are even signs that big players have stopped worrying and learn to love the bomb, or at least minimise the impact of their patches.

Smaller clouds have had less to say, perhaps because they resent not having been included in the original cabal that nutted out a response to Meltdown/Spectre. The Register hears gossip to the effect that Oracle, for one, is furious it wasn’t immediately included at the top table. It has, however, scheduled and/or executed patches. We’ve seen evidence of the same at VMware-on-AWS, Linode, IBM cloud and others.

But we’ve also heard an industry-wide silence about CPU-makers’ roadmaps for a Meltdown-and-Spectre-free future. Rumours are rife that a generation of products will have to be redesigned, at unknowable expense and after un-guessable amounts of time.

The news isn’t all glum, however: marketers have cottoned on to the fact that Meltdown and Spectre represent an opportunity to spruik products like data centre inventory tools or performance analysis code. Their offers aren’t classy, but are at least far more sensible than all the initial coin offerings landing in Reg inboxes. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/22/meltdown_spectre_week_three_the_good_the_bad_and_the_wtf/

SHMOOCON 2018 A new analysis of the comments made on the United States Federal Communications Commission’s consultation on the future of net neutrality has shown the whole process of public comments was fatally flawed.

Speaking at the ShmooCon hacking conference in Washington DC, Leah Figueroa, lead data engineer at data analytics firm Gravwell, detailed how analysing data from comments showed some massive anomalies. In particular, Figueroa found that over a million messages were sent by commenters who logged smut site P*rnHub as their email provider.

“As of July 2018 P*rnHub had only 55 employees, which means either they sent all out over 18,000 submissions per person or there was something unusual going on,” she said.

Figueroa analysed submissions from over 22 million comments to the FCC and found a lot of odd behavior. Over a thousand came from [email protected] for example, but that address is linked to an Indian GitHub repository.

Oddly, the FCC allowed batch submissions of comments on its net neutrality proposals without verifying email addresses, and Figueroa said plenty of these looked looked inauthentic. Hundreds of thousands of comments were submitted at exactly midnight on four separate days in July – hardly normal behavior.

The majority of these batch submissions were anti-net neutrality, and if you strip them out only about 17 per cent of the comments actually came from likely-to-be-people logging on to the FCC’s website and filing a personal message.

Even after the batch-submitted comments were removed the pattern of comments still looks suspect. Many appeared to have come from bots and the timing of submissions didn’t always sync with the US times you’d expect. Such submissions were also typically in ALL CAPS, rather than conventional text.

After removal of the oddly-sourced-or-worded comments, the vast majority of the comments submitted directly to the FCC’s website supported net neutrality.

However, in the end it didn’t matter that much, because the Republican members of the FCC decided that comments wouldn’t influence their decision. Commissioner Michael O’Rielly argued that the agency didn’t have to take comments into account when it made its decision on strictly party-political lines.

New York Attorney General Eric Schneiderman has said he is investigating the comments process on the grounds that some of his constituents may have suffered from identity theft. However, the FCC has backtracked on an earlier promise to cooperate and is now stonewalling any investigation.

American democracy – ain’t it great. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/22/smut_site_fingered_for_fraud_after_a_million_net_neutrality_comments_get_sent/

Shmoocon Among the 400,000 graves at the Arlington National Cemetery – a solemn US military graveyard in Virginia – lies the final resting place of cryptography pioneers William and Elizebeth Friedman.

And hidden in code on their tombstone is a touching tribute from a wife to her husband. A code that’s only now just been cracked, decades after it was engraved in the cool stone.

William, born 1891, and Elizebeth, born a year later, married in 1917.

Among many cryptological feats, the couple trained America’s first cadre of code-breakers after developing an interest in cryptography while examining the so-called Baconian cipher – developed by the British Elizabethan cryptographer Sir Francis Bacon.

William invented the term cryptanalysis, and pretty much broke the key Japanese World War II cipher Purple – so named because transcripts were kept in purple folders.

Meanwhile, Elizebeth was America’s first woman cryptanalyst, and encouraged her husband to pursue cryptography. She also worked with the US government to break the communication codes of rum runners during the prohibition era, and helped crack Germany’s Enigma machine ciphers during World War II.

In 1969, at the age of 78, William died, and was buried at Arlington. His wife designed his gravestone, consisting of a pair of crossed flags – the symbol of William’s military signals unit – and one of his favorite phrases, “Knowledge is power,” a quote attributed to Sir Francis.

The same phrase appeared in code in the graduation photograph of the 1918 code-breakers class the Friedmans taught, in which some of the students faced sideways and others look straight at the camera. The direction of their faces spelled out a phrase using the Baconian cipher.

Smart … Part of the crypto-class graduation photo in 1918

Sir Francis came up with a code whereby every letter in the alphabet could be represented by a group of five ‘a’ or ‘b’ letters. For example, N is ‘abbaa’, and O is ‘abbab’. In the class photo, by converting the direction of each person’s face – ahead or to the side – as an ‘a’ or ‘b’, and running it through the cipher, the class lineup spelled out.. KNOWLEDGE IS POWER.

Shortly after moving to Washington DC, cryptographer Elonka Dunin paid a visit to the Friedmans’ grave. Elizebeth was buried alongside her husband after her death in 1980, and her name was added to the tombstone. Dunin noticed something odd. The phrase “Knowledge is Power” chiseled into the stone using a mix of serif and sans-serif letter designs.

If you assume the serif letters represent a ‘b’, and the san-serif characters are each an ‘a’, the phrase can be converted into ‘babaa aabab aabab’, if you discount the final letter r.

Running that sequence through the Baconian cipher spells out WFF, William’s initials. Dunin told this year’s Shmoocon computer security conference in Washington DC on Friday that she believes this is a hidden note to William from his wife when she designed his gravestone.

Encoded … ‘Knowledge is power’ written on the couple’s tombstone

The pair had a reputation for this sort of thing. They wrote a book together in 1957 called The Shakespearean Ciphers Examined, which thoroughly debunked the theory that Sir Francis wrote many of the Bard’s plays and left coded clues in his manuscripts.

On page 257 of the book, in the bottom paragraph, the authors bolded up certain letters and left other untouched. When translated using the Bacon’s cipher, the message read: “I did not write the plays, F Bacon.”

Confirmation … A note planning the grave’s design

The final confirmation of Dunin’s theory about the tombstone came after an examination of the Friedman papers in the Marshall Library, where a note by Elizebeth was found indicating how the WFF message was generated – by breaking up “Knowledge is Power” into three letters using Sir Francis’ algorithm.

All like all mortals, cryptographers die – but their hidden notes live on unbroken for decades, if not forever. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/20/friedman_cryptographic_grave_message/

Analysis The US Senate reauthorized a controversial NSA spying program on Thursday – and then, because it’s 2018 and nothing matters any more, embarked on a partisan battle over a confidential memo that outlines Uncle Sam’s alleged abuse of surveillance powers.

The so-called section 702 FISA snooping system, renewed this week, has been the focus of a multi-year campaign by a minority of lawmakers who are upset it has mutated from a foreign intelligence-gathering tool into a domestic spying program.

Despite numerous appeals, press conferences, competing legislation and speeches outlining abuse of the program, on Thursday a majority of senators ignored pleas for a proper warrant requirement to be added to the program – that would require the Feds to always go to a judge before searching the communications of a US citizen – and voted to continue the surveillance for a further six years.

With both the Senate and the House of Reps happy with the reauthorization, it’s now set to be signed off by President Donald Trump. As it stands, the NSA can snoop on foreigners’ communications and internet activity abroad as usual, and the FBI can request access to a database of that collected information. If the Feds need to pull up chatter and other records on American citizens – “incidentally” collected as part of that foreign intelligence gathering – they’ll need a warrant approved by a judge.

However, the agents won’t need a warrant if they are looking into…

Death, kidnapping, serious bodily injury, offense against a minor, destruction of critical infrastructure, cybersecurity, transnational crime, and human trafficking

…which are basically the crimes the FBI investigates. Ergo, it’s unlikely the Feds will seek warrants to search the NSA’s section 702 data stores for stuff on American citizens.

Politics

Just hours after the section 702 program was given the final green light before the president can sign on the dotted line, the Senate’s intelligence committee approved the release of a confidential four-page memo alleging previous abuse of the FISA spying program to the rest of Congress. The public is unable to see it.

The mysterious missive was drafted by House intelligence committee chairman Devin Nunes (R-CA), and of course it could be looney-tunes nonsense. Regardless, a number of lawmakers who only now just read the memo have said that had they been aware of the misconduct detailed in the memo, they would not having voted for the reauthorization of section 702 of the FISA Amendments Act.

Republican lawmakers in particular, having seen the report, embarked on a fiercely partisan campaign accusing the Obama administration of snooping on the Trump presidential campaign using the foreigner-targeting FISA laws.

Here we go

“I have read the memo. The sickening reality has set in. I no longer hold out hope there is an innocent explanation for the information the public has seen. I have long said it is worse than Watergate. It was #neverTrump and #alwaysHillary #releasethememo,” tweeted Representative Steve King (R-IA).

“I read the classified #FISAmemo today this needs to be released immediately as well as all of the relevant material that is sourced in the doc. The American public must be given the opportunity to view ALL of this right away! #ReleaseTheMemo,” tweeted Representative Lee Zeldin (R-NY), later taking the floor of the House and declaring: “The American public deserves the truth. We should not hide the truth from them, they’ve waited too long. Do not pull wool over their eyes. Show them the facts. They deserve nothing less.”

At the heart of the argument is the allegation that the FBI used foreign-intelligence-gathering FISA laws to tap the communications of key Trump campaign staff who were in touch with Kremlin officials. Said Putin aides were likely on the NSA’s foreign targets list.

That eavesdropping fits very squarely within the remit of FISA, which allows US spies to intercept the communications of American citizens if they are seen to be communicating with foreign intelligence targets.

Not news

This is not news to those that have closely followed the use of FISA spying powers. Ever since Michael Flynn was fired as a national security advisor for lying about his discussions with Russian Ambassador Sergey Kislyak, people have concluded that the Trump campaign was subject to a FISA Title I warrant. How else would the FBI have known he was lying to the White House?

But rather than dig into the events and question the potential abuse of the NSA’s surveillance networks, the majority of Congress actively ignored the uncomfortable reality for months.

Until that is, they reauthorized the section 702 mass surveillance system for another six years. And then the fact that the Obama-era FBI listened in on the campaign of now-president Donald Trump has been magically produced like a rabbit out of a hat.

The hypocrisy is stunning, even for Congress. One moment, Republicans insist a Big Brother program is needed to foil terrorists abroad, ignoring its ability to pry into the lives of Americans. The next moment, Republicans are upset the same set of laws were indeed used to pry into the lives of Americans – some of the folks working for Team Trump.

It is worth noting that the NSA and FBI have publicly denied for years that there has been abuse of the FISA spying programs. There have been occasional, very vague reports of a very small number of personnel misusing the system – but they have been always been painted as either accidental or some sort of personal issues that have been dealt with harshly.

The intelligence services have fiercely disputed any suggestion that the extraordinary powers they possess have ever been used in anything but the most honest fashion. You know, cracking down on anti-West terror bad guys, and so on.

Congresscriters who now claim to be shocked – shocked! – about FISA’s sweeping capabilities – have been willfully ignoring determined efforts in both the House and the Senate in recent weeks to have a full debate about the extent of spying powers that the US government possesses.

Last week, an effort to introduce a revised version of the section 702 reauthorization bill in the House was narrowly defeated 233-183, and the unchanged version was passed 256-164.

Speeches

And this week, an effort to stop a cloture vote on section 702 – which prevented debate and amendments being discussed in the Senate – only just passed, with proceedings held up for an hour while the Republican leadership scrambled to find enough senators to get it to the 60-vote threshold.

Just yesterday, as the Senate voted on approved the program without significant change, Senator Ron Wyden (D-OR) gave an impassioned 50-minute speech about how section 702 was being used unlawfully to spy on American citizens.

In one part of that speech, he even went into great detail over how the Director of National Intelligence had publicly denied that Uncle Sam was able to intercept communications between US citizens on US soil – and then, when challenged subsequently, claimed to have heard a different question.

When Wyden asked the same question again, the director refused to answer, claiming that it was classified. “How can a topic in which the director of national intelligence has already given an answer in public suddenly become classified?” asked Wyden in his speech.

But if all that wasn’t enough, we will all likely be subject to one more head-holding display of hypocrisy when President Trump signs the reauthorization bill into law – despite the fact congressfolk are railing against the same set of FISA laws being used to spy on his campaign.

Welcome to 2018. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/19/us_congress_section_702_fisa_memo/

The smartphone manufacturer has sent an email to anyone who may have been affected in the breach.

Chinese smartphone manufacturer OnePlus has reported a credit card breach affecting up to 40,000 users at oneplus.net. Users who entered their credit card data on the website between mid-November 2017 and January 11, 2018 could be at risk.

Over the weekend of Jan. 13, OnePlus customers reported unknown credit card transactions appearing on their accounts following purchases from oneplus.net. The company began an investigation and learned one of its systems was attacked. A malicious script was injected into the payment page code to discover credit card information as it was being entered.

The malicious script has been eliminated, the infected server quarantined, and all relevant system structures reinforced. Users who paid using a saved credit card, the “Credit Card via PayPal” option, or PayPal should not be affected, OnePlus reports.

“This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation,” says Chris Morales, head of security analytics at Vectra.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/up-to-40k-affected-in-credit-card-breach-at-oneplus/d/d-id/1330858?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Revenues and reputation have taken a hit in the wake of the US Department of Homeland Security’s decision to prohibit use of its products and services by the feds, the company says.

Security vendor Kaspersky Lab has filed a motion for a preliminary injunction in its lawsuit challenging the US government’s recent ban on the use of the company’s anti-malware products by federal agencies.

The ban has seriously hurt Kaspersky Lab’s reputation and revenues and should be overturned expeditiously, the company argued in the motion filed Wednesday in US District Court for the District of Columbia.

The US Department of Homeland Security (DHS) last September ordered the removal of Kaspersky Lab software and services from all federal information systems covered under the Federal Information Systems Management Act, and banned further use of all products from the company.

The ban, issued under DHS Binding Operational Directive (BOD) 17-01, stemmed from concerns about the firm’s ties to the Russian government and the belief that Russian agents had used the company’s software to steal sensitive data from US government systems.

In its motion, Kaspersky Lab claimed the ban has caused considerable reputational damage and loss of sales to the company in North America. The debarment has precluded Kaspersky Lab from doing business with the US federal government, while hurting its consumer and commercial business as well, the motion said. US retailers that used to carry its products have now removed it from their shelves and are encouraging customers to switch to rival products, resulting in an overall decline in North American sales of over 50% during the second half of 2017.

According to Kaspersky Lab, the government issued the BOD without giving the company enough notice or enough of an opportunity to contest the evidence for the ban, thereby violating Fifth Amendment rights to due process. The BOD is also not supported by any substantial evidence and is therefore both “arbitrary and capricious,” Kaspersky Lab said in seeking an injunction overturning the ban.

“DHS used the BOD to achieve a preordained result—the immediate debarment of Kaspersky Lab, and the consequential and foreseeable adverse effect on its U.S. commercial sales,” the security vendor said in its motion.

“The BOD achieved this result while depriving Kaspersky Lab of any meaningful or constitutionally sound process to challenge the tenuous, often anonymous, and uncorroborated media stories and other self-serving public statements which DHS relied upon to justify its action.”

Ed McAndrew, a trial lawyer at Ballard Spahr, says Kaspersky Lab’s injunction is curious in what it does not seek.

After the ban went into effect, it was codified into law under the 2018 National Defense Authorization Act, he says, and as a result, the government will likely argue that Kaspersky’s challenge to the agency actions is moot.

Kaspersky Lab is attempting to use the Administrative Procedures Act (APA) to challenge DHS’s administrative actions.  But “there’s no need to focus on the administrative action because we now have the ban codified as a law,” McAndrew says. 

In addition, the DC federal court has previously already ruled in another case that the APA does not provide a basis for judicial review under FISMA, he adds.

The security vendor’s bid to get a temporary injunction — and eventually a permanent injunction— against the ban faces other legal challenges as well, McAndrew notes. To obtain injunctive relief the company will have to prove a variety of things, including the fact that it will suffer irreparable harm, and that issuing an injunction would be in the public interest. It is unlikely that the company will be able to satisfy any, let alone all, of the requirements, he says.

“Winning the case may not be Kaspersky’s only objective,” however, McAndrew notes. “Seeking injunctive relief will provide Kaspersky with a public judicial forum in which to air its dispute with the government’s action – and perhaps to attempt to repair its reputation.”

If a hearing is held, Kasperksy Lab will have an opportunity to publicly present evidence disputing the disbarment while requiring the government to present public proof of the basis for its decision to ban Kaspersky Lab products, he says.

Related Content:

• Kaspersky Lab Files Lawsuit Over DHS Ban of its Products
• Kaspersky Lab Offers Up its Source Code for Inspection
• Kaspersky Lab and the AV Security Hole
• 10 Security Product Flaw Scares

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/kaspersky-lab-seeks-injunction-against-us-government-ban/d/d-id/1330860?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google has finally admitted something alarming about the world’s one billion regular Gmail users – barely any have turned on two-step verification (2SV) security.

Seven years after 2SV first appeared, take-up is still under 10%, engineer Grzegorz Milka is reported to have told a session at the Enigma 2018 Usenix security conference.

Milka went on to mention a Google-sponsored study from November that analysed how criminals target Gmail, and why these accounts have become so highly prized, a way of saying the company isn’t happy with this status quo.

One could debate whether ‘under 10 percent’ is really that bad – that’s at least tens of millions of accounts after all – but what’s clear is since 2011 Gmail has added a lot of new users without adding a lot of new 2SV users.

The importance of using 2SV (a form of multi-factor authentication or MFA) with Gmail and other sites, has been a running theme on Naked Security for some time. It’s not difficult to set up, it costs nothing and, best of all, it is guaranteed to raise the bar for attackers.

Why, then, aren’t more Gmail users interested?

Milka offered a clue when he was asked why, if it’s such a great idea, Google doesn’t simply make using it mandatory:

It’s about how many people would we drive out if we force them to use additional security.

It seems people have enough trouble coping with passwords that enforcing another security layer through 2SV would break usability.

Google’s caution is understandable but overly pessimistic. The real problem with 2SV isn’t that it’s irksome to use – it isn’t – but that not enough people have heard or it or, if they have, are confused by the myriad ways of using it across different services.

With Gmail, one place to start is by running the ‘Security Check-Up’ in the Google account settings, which tells the user whether they have 2SV turned on or not.

If not, the oldest option to add it is SMS, which sends one-time codes as texts every time a user logs in. A lot of sites, including Google, still offer this but it’s no longer considered secure thanks to attacks such as SIM-swap fraud.

Recently, Google has started pushing users to something called Google Prompt, which verifies logins with a simple yes/no question sent as a push notification to Android and iOS devices through Google’s own software layer.

A more involved but versatile option is to download Google’s Authenticator app, which generates one-time codes without these needing to be sent via a public network at all. Authenticator also works with third-party services such as WordPress, LastPass, and Facebook.

The most secure option of all is to use a hardware token such as the USB-based U2F YubiKey. The drawback is partly cost (around $20), and the fact that smartphones require separate tokens with NFC capability.

Gmail users who believe they are at particular risk of being targeted by criminals can join the Advanced Protection Program (APP), a free service that imposes additional checks when accessing accounts. This is only recommended where the extra hassle can be justified.

See the problem? Too many choices. But better too much of a good thing than to go on avoiding the fact that using an important online service without some form of MFA has become a risk no informed user should take.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0KM0NBU9K_Y/

Remember fake anti-virus?

It was a big money-making gimmick used by cybercriminals a few years ago, aimed at regular computers and mobile devices alike.

The idea was staggeringly simple: run a free “scan” that pretended to whizz through your hard disk or phone storage, looking for those stubborn malware infections that your traditional anti-virus had missed.

What’s not to like about a free second opinion?

After all, Sophos offers just the same sort of thing, also free, for desktops, laptops and mobiles.

But the typical fake anti-virus had three huge differences from a genuine free product:

1. It didn’t actually look for threats. It usually picked some filenames at random, and told you they were infected with some mysterious-sounding virus, using a threat name that did exist if you went and searched for it. The whole thing was a pack of lies, but lies that were told-and-sold with visual panache and unswerving confidence.
2. When you clicked [Clean up], it suddenly wasn’t free any more. You had to pay to get a licence code to activate the cleanup module.
3. If you paid, the “threats” magically disappeared. Nothing was cleaned up, of course, because the fake anti-virus wouldn’t have known what to do with a virus even if it could have detected it in the first place. All the product did was secretly activate a configuration option that put it into Fake Clean Bill Of Health mode.

For a while, fake anti-virus was surprisingly successful for the crooks, not least because many of the victims simply didn’t realise that they’d been fleeced: the price seemed about right, the product seemed to have done what it said; there was no reason to complain to the credit card company for a refund.

Even teenaged beginners could get in on the game.

Back in 2014, for example, Google took $3.99 from tens of thousands of users for an app called Virus Shield, a fake anti-virus that was accepted into the Play Store even though it was so bogus that it didn’t even bother to show the filenames it was pretending to scan – it just ran a progress bar from left to right, and that was that.

A 17-year-old was behind that scam, and he nearly got away with it because Google’s official app refund policy only covered a 15-minute window after downloading the app, although reason prevailed in the end, and Google gave everyone their money back.

Fake anti-virus is back

Well, fake anti-virus is back – and back in the Google Play Store, at that – with an interesting twist.

This time, the app, Super Antivirus 2018, actually “detects” things – because it uses a built-in blocklist of other apps, it can at least claim to be reporting the presence of specific apps, even if those apps aren’t malware at all.

Also, Super Antivirus 2018 doesn’t do the “now you have to pay” trick; instead, it launches into aggressive advertising for an additional security app with a real mouthful of a name: Security Elite – Clean Virus, Antivirus, Booster.

If you grab that app, then you are bombarded with yet more ads, for an experience that won’t make you any more secure, but will almost certainly leave you hopping in annoyance.

SophosLabs research Rowland Yu has published a fascinating technical report digging into the details of how this not-so-super anti-virus charade unfolded, and what Sophos did about it – why not read it now? [PDF link, ungated.]

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LK00hLL-eIc/

Usenix Enigma It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it.

In a presentation at Usenix’s Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

We polled El Reg readers on Twitter just before we published this piece, asking: “What percentage, rounded to nearest integer, of Gmail users do you think use two-factor authentication?” Out of 838 followers who responded within the hour, 82 per cent correctly selected less than 10 per cent. The rest picked more than 10 per cent.

Shameful … Milka’s stats at Engima

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Please, if you haven’t already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn’t enough – they need your unlocked phone, or similar, to to get in.

Google has tried to make the whole process easier to use, but it seems netizens just can’t handle it. More than 10 per cent of those trying to use the defense mechanism had problems just inputting an access code sent via SMS.

What if you don’t have two-step authentication, and someone hijacks your account? Well, Google is on the look out for that, too.

Anatomy of a hack … An account hijacker’s actions

To spot criminals and other miscreants commandeering a victim’s webmail inbox, the Chocolate Factory has increased its use of heuristics to detect dodgy behavior. A typical attacker has a typical routine – once they manage to get into an account, they shut down notification to the owner, ransack the inbox for immediately valuable stuff like Bitcoin wallet stuff or intimate photos, copy the contacts lists, and then install a filter to mask their action from the owner.

By looking out for and alerting folks to these shenanigans, Google hopes to make account hijackings less commonplace. But, given netizens’ lack of interest in security, warnings about suspicious activity are unlikely to get people moving to protect their information. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_authentication/

Allowing Uncle Sam to seize emails stored in Microsoft’s Irish data centre would violate foreign data protection laws and risk setting a damaging precedent, the US Supreme Court has been told.

In briefs filed in the long-running dispute, IBM and international campaign groups argued that the government does have other ways of gaining the information.

They are lobbying for the Supreme Court to uphold the decision made by the United States Court of Appeals for the Second Circuit, which ruled in Microsoft’s favour. The Supremes were brought into the spat after the US Department of Justice appealed the Second Circuit’s decision.

Privacy International, backed by 26 other global rights groups, filed an amicus brief (PDF) that warned of the “profound implications for the resilience of data protection laws all over the world”.

It argued that in demanding access to emails stored in servers in another country, the warrant “flatly conflicts with Irish and European Union law”.

The brief said there was no existing case law that directed the result, and pointed out that there are established government-to-government channels for transfer of personal data to law enforcement, called mutual legal assistance treaties (MLAT).

“Rather than relying on the process established through these MLATs,” Privacy International said, “the US government is seeking to unilaterally seize data held in Ireland, conflicting with both Irish and EU data protection laws, and undermining the right to privacy that those laws were designed to protect.”

A similar argument was made by IBM, which said the government has “ample tools at its disposal, aside from the [Stored Communications Act], to obtain the same data that it seeks here”.

MLATs “may be imperfect… [but] they are not unworkable”, IBM said in its amicus curiae (PDF). It added that although the Stored Communications Act needed to be updated to “reflect contemporary technological developments, such as the cloud, that is a problem for Congress, not this Court, to rectify”.

Oi, force Microsoft to cough up emails on Irish servers to the Feds, US states urge Supremes

READ MORE

Both IBM and Privacy International warned of the effect granting the DoJ access would have on future cases and other companies.

“Similar violations of foreign law would occur in countless other cases if the Government is given the expansive authority to issue extraterritorial warrants that it now seeks,” said Privacy International.

The group argued that, if granted, the US government’s demand “creates an untenable situation for many other companies” because it would set a precedent.

“Companies would increasingly be in the position of having to potentially violate the laws of the countries in which they operate in order to comply with warrants issued in the US,” the campaign group said.

Meanwhile, IBM said that it could damage US cloud providers’ business prospects.

The court should “recognize that while this case involves an individual cloud user, the Court’s decision may well have a significant impact on enterprises”, Big Blue said.

It argued that – unlike individuals – enterprise clients can, and do, “contract for a menu of specific conditions relating to data storage and maintenance, including the data’s physical location”.

This is crucial to the case because the US government has argued that Microsoft has the sole power to choose where it stores data, and should be able to migrate it back to the US, to hand it over to the government.

IBM said that allowing access to cloud data stored abroad would “significantly disadvantage US cloud services providers when it comes to competing for enterprise clients, who may prefer to use cloud services from a company with no presence in the United States”.

It added: “This concern is not a hypothetical; it was on full display following disclosures about the US government’s surveillance programs, and it continues to be a topic of significant concern for enterprise customers today.”

Both briefs urged the Supreme Court to affirm the judgment of the Second Circuit.

Oral arguments are due to be heard in the case at the end of next month. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/19/microsoft_data_centre_privacy_international/